Merge branch 'public' into public

Author: denisebmsft

ATPDocs/automated-response-exclusions.md

@@ -18,27 +18,30 @@ For example, an incident involving Attack Disruption, where response actions are
 
 ## How to add automated response exclusions
 
-1. In [Microsoft Defender XDR](https://security.microsoft.com/), go to **Settings** and then **Identities**.
 
-    ![Go to Settings, then Identities.](media/settings-identities.png)
+1. In the [Microsoft Defender XDR](https://security.microsoft.com/) portal, go to **Settings** and then **Microsoft Defender XDR**.
 
-1. You'll then see **Automated response exclusions** in the left-hand menu.
+   :::image type="content" source="media/automated-response-exclusions/screenshot-xdr-settings1.png" alt-text="Go to Settings, then Microsoft Defender XDR.":::
 
-    ![Automated response exclusions.](media/automated-response-exclusions.png)
+ 
+2. You'll see **Automated response > Identities** in the left-side menu.
 
-1. To exclude specific users, select **Exclude Users**.
+    :::image type="content" source="media/automated-response-exclusions/screenshot-xdr-automated-response.png" alt-text="Go to Automated response then Identities.":::
+ 
+3. To exclude specific users, select **Add User Exclusion**.
 
-    :::image type="content" source="media/exclude-users.png" alt-text="Exclude specific users.":::
-
-1. Search for the users to exclude and select the **Exclude Users** button.
+   :::image type="content" source="media/automated-response-exclusions/screenshot-xdr-add-exclusion.png" alt-text="Exclude specific users.":::
+      
+4. Search for the users to exclude and select the **Exclude Users** button.
 
     :::image type="content" source="media/exclude-specific-users.png" alt-text="Choose which users to exclude.":::
+   
+5. To remove excluded users, select the relevant users from the list and select the **Remove** button.
 
-1. To remove excluded users, select the relevant users from the list and select the **Remove** button.
-
-    :::image type="content" source="media/remove-excluded-users.png" alt-text="Remove excluded users.":::
-
+     :::image type="content" source="media/remove-excluded-users.png" alt-text="Remove excluded users.":::
+   
 ## See also
 
 - [Configure event collection](deploy/configure-event-collection.md)
-- [Check out the Defender for Identity forum!](<https://aka.ms/MDIcommunity>)
+- [Check out the Defender for Identity forum!](https://aka.ms/MDIcommunity)
+

ATPDocs/media/automated-response-exclusions/screenshot-xdr-add-exclusion.png

@@ -15,7 +15,7 @@ ms.collection:
 ms.topic: conceptual
 ms.subservice: android
 search.appverid: met150
-ms.date: 02/11/2025
+ms.date: 06/05/2025
 ---
 
 # Configure Defender for Endpoint on Android features
@@ -70,53 +70,53 @@ In the Microsoft Intune admin center, navigate to Apps > App configuration polic
 
 3. If your organization uses root CAs that are private, you must establish explicit trust between Intune (MDM solution) and user devices. Establishing trust helps prevent Defender from flagging root CAs as rogue certificates.
 
-    To establish trust for the root CAs, use **'Trusted CA certificate list for Network Protection'** as the key. In the value, add the **'comma separated list of certificate thumbprints (SHA 1)'**.
+   To establish trust for the root CAs, use **'Trusted CA certificate list for Network Protection'** as the key. In the value, add the **'comma separated list of certificate thumbprints (SHA 1)'**.
 
-    **Example of Thumbprint format to add**: `50 30 06 09 1d 97 d4 f5 ae 39 f7 cb e7 92 7d 7d 65 2d 34 31, 503006091d97d4f5ae39f7cbe7927d7d652d3431`
+   **Example of Thumbprint format to add**: `50 30 06 09 1d 97 d4 f5 ae 39 f7 cb e7 92 7d 7d 65 2d 34 31, 503006091d97d4f5ae39f7cbe7927d7d652d3431`
 
-      > [!IMPORTANT]
-      > Certificate SHA-1 Thumbprint characters should be with either white space separated, or non separated.
-      >
-      > This format is invalid: `50:30:06:09:1d:97:d4:f5:ae:39:f7:cb:e7:92:7d:7d:65:2d:34:31`
+   > [!IMPORTANT]
+   > Certificate SHA-1 Thumbprint characters should be with either white space separated, or non separated.
+   >
+   > This format is invalid: `50:30:06:09:1d:97:d4:f5:ae:39:f7:cb:e7:92:7d:7d:65:2d:34:31`
 
-      Any other separation characters are invalid.
+   Any other separation characters are invalid.
 
-4. For other configurations related to Network protection, add the following keys and appropriate corresponding value.
+1. For other configurations related to Network protection, add the following keys and appropriate corresponding value.
 
    | Configuration Key| Description|
    |---|---|
    |Trusted CA certificate list for Network Protection|Security admins manage this setting to establish trust for root CA and self-signed certificates.|
    |Enable Network protection in Microsoft Defender|1 - Enable (default), 0- Disable. This setting is used by the IT admin to enable or disable the network protection capabilities in the Defender app.|
    |Enable Network Protection Privacy|1 - Enable (default), 0 - Disable. Security admins manage this setting to enable or disable privacy in network protection.|
    |Enable Users to Trust Networks and Certificates|1 - Enable, 0 - Disable (default). Security admins manage this setting to enable or disable the end user's in-app experience to trust and untrust unsecure and suspicious networks and malicious certificates.|
-   |Automatic Remediation of Network Protection Alerts|1 - Enable (default), 0 - Disable. Security admins manage this setting to enable or disable the remediation alerts that are sent when a user performs remediation activities, such as switching to a safer Wi-Fi access point or deleting suspicious certificates detected by Defender.|
-   |Manage Network Protection detection for Open Networks|2- Enable (default), 1- Audit mode, 0 - Disable. Security admins manage this setting to enable, audit, or disable open network detection, respectively. In 'Audit' mode, alerts are sent only to the ATP portal with no end user experience. For end user experience, the config should be set to 'Enable' mode.|
-   |Manage Network protection Detection for Certificates|2- Enable, 1- Audit mode, 0 - Disable (default).  In Audit mode, notification alerts are sent to SOC admins, but no end-user notifications are displayed to the user when Defender detects a bad certificate. Admins can, however, enable full feature functionality by setting 2 as the value. When the feature is enabled with the value of 2, end-user notifications are sent to the user when Defender detects a bad certificate, and alerts are also sent to the SOC Admin. |
+   |Automatic Remediation of Network Protection Alerts|1 - Enable (default), 0 - Disable. Security admins manage this setting to enable or disable the remediation alerts that are sent when a user performs remediation activities, such as switching to a safer Wi-Fi access point or deleting suspicious certificates detected by Defender. This setting applies exclusively to alerts and does not impact device timeline events. As a result, it will not affect open Wi-Fi networks or self-signed certificates.|
+   |Manage Network Protection detection for Open Networks|2- Enable (default), 1- Audit mode, 0 - Disable. Security admins manage this setting to enable, audit, or disable open network detection, respectively. In 'Audit' mode, events are sent only to the ATP portal with no end user experience. For end user experience, the config should be set to 'Enable' mode.|
+   |Manage Network protection Detection for Certificates|2- Enable, 1- Audit mode, 0 - Disable (default).  In Audit mode, events are sent to SOC admins, but no end-user notifications are displayed to the user when Defender detects a bad certificate. Admins can, however, enable full feature functionality by setting 2 as the value. When the feature is enabled with the value of 2, end-user notifications are sent to the user when Defender detects a bad certificate, and events are also sent to the SOC Admin. |
 
-5. Add the required groups to which the policy has to be applied. Review and create the policy.
+1. Add the required groups to which the policy has to be applied. Review and create the policy.
 
-   | Configuration Key| Description|
+   | Configuration Key | Description|
    |---|---|
    |Enable Network protection in Microsoft Defender|1: Enable (default)<br/> 0: Disable<br/><br/> This setting is used by the IT admin to enable or disable the network protection capabilities in the Defender app.|
    |Enable Network Protection Privacy|1: Enable (default) <br/> 0: Disable <br/><br/> Security admins manage this setting to enable or disable privacy in network protection.|
    |Enable Users to Trust Networks and Certificates|1: Enable <br/>0: Disable (default) <br/><br/> This setting is used by IT admins to enable or disable the end user in-app experience to trust and untrust the unsecure and suspicious networks and malicious certificates.|
-   |Automatic Remediation of Network Protection Alerts|1: Enable (default) <br/> 0: Disable <br/><br/> This setting is used by IT admins to enable or disable the remediation alerts that are sent when a user does remediation activities. For example, the user switches to a safer Wi-Fi access point or deletes suspicious certificates that were detected by Defender.|
-   |Manage Network Protection detection for Open Networks| 2:  Enable (default)<br/> 1: Audit Mode <br/> 0: Disable <br/>  Security admins manage this setting to enable or disable open network detection.|
-   |Manage Network protection Detection for Certificates|2: Enable <br/> 1: Audit mode<br/> 0: Disable (default)<br/><br/>In audit mode, notification alerts are sent to SOC admins, but no end user notifications are shown when Defender detects a bad certificate. Admins can enable full feature functionality by setting the value 2. When the value is 2, end user notifications are sent to users and alerts are sent to SOC admins when Defender detects a bad certificate.|
-
-6. Add the required groups to which the policy has to be applied. Review and create the policy.
+   |Automatic Remediation of Network Protection Alerts|1: Enable (default) <br/> 0: Disable <br/><br/> This setting is used by IT admins to enable or disable the remediation alerts that are sent when a user does remediation activities. For example, the user switches to a safer Wi-Fi access point or deletes suspicious certificates that were detected by Defender. This setting only applies to alerts and does not affect device timeline events. As such, it does not apply to the detection of open Wi-Fi networks or self-signed certificates |
+   | Open network detection | 2:  Enable (default)<br/> 1: Audit Mode <br/> 0: Disable <br/><br/>Security admins manage this setting to enable or disable open network detection. |
+   |Manage Network protection Detection for Certificates|2: Enable <br/> 1: Audit mode<br/> 0: Disable (default)<br/><br/>In audit mode, events are sent to SOC admins, but no end user notifications are shown when Defender detects a bad certificate. Admins can enable full feature functionality by setting the value 2. When the value is 2, end user notifications are sent to users and events are sent to SOC admins when Defender detects a bad certificate.|
+   
+2. Add the required groups to which the policy has to be applied. Review and create the policy.
 
 > [!NOTE]
 > - The other config keys of Network Protection will only work if the parent key '**Enable Network Protection in Microsoft Defender'** is enabled.
 > - To ensure comprehensive protection against Wi-Fi threats, users should enable location permission and select the "Allow All the Time" option. This permission is optional but highly recommended, even when the app is not actively in use. If location permission is denied, Defender for Endpoint will only offer limited protection against network threats and will only safeguard users from rogue certificates.
 
 > [!IMPORTANT]
-> Starting May 19, 2025, alerts are no longer generated in the Microsoft Defender portal for mobile devices connecting or disconnecting to an open wireless network and for downloading/installing/deleting self-signed certificates. Instead, these activities are now generated as events and are viewable in the device timeline.</br></br>
-> Here are a key changes about this new experience:</br>
-> - For these changes to take effect, end-users must update to the latest version of Defender for Endpoint on Android available on May 2025. Otherwise, the previous experience of generating alerts will still be in place. If auto-remediation key is enabled by the admin, old alerts are resolved automatically after the changes take effect.</br>
-> - WWhen an end-user connects or disconnects to an open wireless network multiple times within the same 24-hour period, only one event each for the connection and disconnection is generated in that 24-hour period and sent to the device timeline.</br>
-> - Enable Users to Trust Networks: After the update, connection and disconnection events to open wireless networks, including to trusted networks, are sent to the device timeline as events.
-> - Users allow-listed certificates: After the update, downloading/installing/deleting self-signed certificates events, including user-trusted certificates, are sent to the device timeline as events.</br>
+> Starting May 19, 2025, alerts are no longer generated in the Microsoft Defender portal for mobile devices connecting or disconnecting to an open wireless network and for downloading/installing/deleting self-signed certificates. Instead, these activities are now generated as events and are viewable in the device timeline.
+> Here are key changes about this new experience:
+> - For these changes to take effect, end-users must update to the latest version of Defender for Endpoint on Android available on mid-May 2025. Otherwise, the previous experience of generating alerts will still be in place. If auto-remediation key is enabled by the admin, old alerts are resolved automatically after the changes take effect.
+> - When an end-user connects or disconnects to an open wireless network multiple times within the same 24-hour period, only one event each for the connection and disconnection is generated in that 24-hour period and sent to the device timeline.
+> - Enable Users to Trust Networks: After the update, connection and disconnection events to open wireless networks, including trusted networks, are sent to the device timeline as events.
+> - Users allow-listed certificates: After the update, downloading/installing/deleting self-signed certificates events, including user-trusted certificates, are sent to the device timeline as events.
 > - The previous experience of generating alerts for these activities still continue to apply to GCC tenants.
 
 ## Privacy Controls